Closed ArulkumarPonnusamy closed 1 year ago
Anyone plz help
Hello,
I think you are right that the Digest
header only contains the SHA-256 value of the request body itself, not the secret. Because the Digest
header will be signed along with other headers using the secret and the signature will be in the Authorization
header, which already includes the value of the additional Digest
header.
The hash inside Digest
is the hash value in binary and then base64 encoded. Not base64 of the hexadecimal value of the binary!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is there an existing issue for this?
Kong version (
$ kong version
)3.0
Current Behavior
hmac dijest validation is not working
Expected Behavior
I am generating the diject string using body content with secret. Then i am passing the dijest value in header as "HMAC-256=dijeststring"
Steps To Reproduce
No response
Anything else?
local digest = sha256:new() digest:update(body or '') local digest_created = "SHA-256=" .. encode_base64(digest:final()) return digest_created == digest_received
I didnt understand the above code-- are we not using secret to create digest string. ? Also what is "SHA-256=" .. encode_base64(digest:final()). are we concatenating static string to base64 value of digest?